satow Posted April 24, 2012 Report Share Posted April 24, 2012 I am using the fully paid version of Immunet.Plus 3.0 on a Windows server 2003 (32 bit) It is my main file and binary server. We have an agreement with Adobe which allows us to install their Master collection suite on various machines using a program called a serializer. This program is valid and was given to us directly from Adobe. This serializer generates the license code and registers the software with Adobe. The problem I am having is that the Quarantine agent keeps quarantining the serializer executable. We know it is legitimate and not a trojan. It detects it as a Clam.Trojan.Agent-260901. I try to put it into the Protection Exclusions list under Settings, but it keeps on quarantining the files. Is there a fix or a way to prevent the quarantining of this file? Thanks, Bruce Link to comment Share on other sites More sharing options...
ritchie58 Posted April 24, 2012 Report Share Posted April 24, 2012 Hi Bruce, You could try and restore the file from Quarantine. Open the GUI > just below History click on Quarantine > find the file in question and click on it and click on Restore. That should automatically put the correct file path in Immunet's Exclusion List and Adobe's serializer should work then. There is a very small chance the file may not restore properly from Quarantine or if there's something else with the program conflicting with Immunet and the file keeps getting quarantined, if that occurs, try manually adding the entire Program Files folder into the Exclusion List, if the software has created a folder in the Program Files directory. Also, before running the executable again, temporarily disable "Monitor Program Install" and "Blocking Mode" in the Settings as well. If you continue to have problems please send a SDT report to support@immunet.com. Submitting a copy of the software or where to download it from with the SDT report might be helpful too. That way it can be manually "whitelisted" on the sever side. How to create and submit a SDT report can be found here. Best regards, ritchie58... Link to comment Share on other sites More sharing options...
Rob.T Posted April 30, 2012 Report Share Posted April 30, 2012 Very interesting.... there are a few solutions here: 1) As richie pointed out you can add an exclusion for the file. Actually, make sure you exclude the entire the directory that serializer is installed to, not just the serializer binairy itself. This should prevent it and any files it generates from being quarantined. 2) You can send the searilizer installer to support@immunet.com and we can have our malware analysts examine it, and whitelist it if it is indeed safe. Check with IT admins before sending us this file though as it may be considered proprietary/company property. 3) If 2 is a no go you can contact you're Adobe rep and get them in contact with us, and I'm sure we can find a way to avoid FP'ing on their files. All of the above options will take some time though - probably between two weeks and a couple months. 4) If you are using fireAMP (Immunet's Enterprise solution), you can white list this file immediately (this exactly the type of thing fireAMP was built to handle). Link to comment Share on other sites More sharing options...
satow Posted April 30, 2012 Author Report Share Posted April 30, 2012 Thanks everyone. Yes the add exception from the quarantine works. I found you have to make an exception for the directory AND the binary. Then it works and the serializer binary doesn't get quarantined. I think I understand the logic. If you just make an exception for the directory, if someone puts an infected file inside that directory after it has been excepted, then the file inside might not get quarantined. If you do just the file in the directory, the other files in that directory might be infected. Interesting.... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.